Listen to this Post
Introduction:
In the relentless cat-and-mouse game of cybersecurity, attackers are constantly seeking out obscure, native tools to fly under the radar of Endpoint Detection and Response (EDR) systems. A recent revelation highlights the use of diskshadow.exe, a legitimate Microsoft-signed tool, to create volume shadow copies and extract the critical Active Directory database (NTDS.dit) without triggering common alerts. This technique bypasses the more commonly monitored vssadmin, posing a significant threat to enterprise environments.
Learning Objectives:
- Understand the mechanics of the diskshadow attack for NTDS.dit extraction.
- Learn how to create and deploy custom detection rules for this living-off-the-land binary (LOLBin) attack.
- Implement mitigation strategies to protect the Active Directory database from unauthorized shadow copy access.
You Should Know:
1. Crafting the Diskshadow Script
The attack relies on a script file to instruct diskshadow. This method is stealthier than typing commands directly into a console.
set verbose on set context persistent nowriters set metadata C:\Windows\Temp\0xdf.cab add volume c: alias 0xdf create expose %0xdf% e:
Step-by-step guide:
set verbose on: Enables detailed logging, which is useful for an attacker to debug the process.set context persistent nowriters: Sets the shadow copy context to “persistent,” meaning it survives a reboot, and “nowriters,” which pauses writer services to ensure data consistency.set metadata C:\Windows\Temp\0xdf.cab: Specifies the path for the shadow copy metadata file.add volume c: alias 0xdf: Defines the C: drive as the target volume and assigns it the alias “0xdf”.create: Initiates the creation of the shadow copy volume.expose %0xdf% e:: Exposes the newly created shadow copy with the alias “0xdf” as the E: drive, making its contents accessible for file operations.
2. Executing the Shadow Copy Attack
With the script saved (e.g., as C:\programdata\backup.txt), the attacker executes diskshadow to run the commands.
diskshadow /s C:\programdata\backup.txt
Step-by-step guide:
diskshadow: The native Windows command-line tool for managing the Volume Shadow Copy Service (VSS).- The `/s` switch tells diskshadow to execute the script file that follows the switch.
- This command reads the instructions from `backup.txt` and creates a shadow copy of the C: drive, which is mounted to the E: drive. The attacker can now navigate to `E:\Windows\NTDS\` and copy the `NTDS.dit` file, which is no longer locked by the operating system.
3. Extracting the NTDS.dit File
Once the shadow copy is exposed as a new drive letter, the attacker can simply copy the database file.
copy e:\Windows\NTDS\ntds.dit C:\programdata\ntds.dit
Step-by-step guide:
- This is a standard file copy command.
- It copies the `ntds.dit` file from the shadow copy location (
e:\Windows\NTDS\) to a writable directory likeC:\programdata. - With the file in their possession, the attacker can transfer it offline and use tools like `secretsdump.py` from the Impacket suite to extract the NTLM password hashes for every user in the domain.
4. Hunting for Diskshadow with PowerShell
Security teams can proactively hunt for diskshadow activity by querying Windows event logs or process creation logs.
Get-WinEvent -FilterHashtable @{LogName='Security'; ID='4688'} | Where-Object {$_.Message -like "diskshadow"}
Step-by-step guide:
- This PowerShell command queries the Security log for Event ID 4688 (a process has started).
- The `Where-Object` cmdlet filters the results to only show events where the command line contains the string “diskshadow”.
- Analysts should look for the full command line, particularly the use of the `/s` script option, to identify potentially malicious use.
5. Building a Sigma Detection Rule
For automated detection, a Sigma rule can be deployed to a Security Information and Event Management (SIEM) system.
title: Diskshadow Execution with Script status: experimental description: Detects the use of diskshadow with a script file, a common technique for stealthy NTDS.dit extraction. logsource: category: process_creation product: windows detection: selection: Image|endswith: '\diskshadow.exe' CommandLine|contains: '/s' condition: selection falsepositives: - Legitimate administrative use of diskshadow for backups. level: high
Step-by-step guide:
- This YAML-based rule triggers on any process creation event where the image path ends with `diskshadow.exe` and the command line contains the `/s` argument.
- The `description` and `falsepositives` fields provide context for security analysts.
- The `level: high` indicates a high-confidence alert. This rule should be tested and tuned in your environment to reduce false positives from legitimate backup activity.
6. Mitigating the Attack with Group Policy
One of the most effective mitigations is to restrict who can run diskshadow.exe.
Computer Configuration -> Windows Settings -> Security Settings -> Software Restriction Policies -> Additional Rules Path: %WINDIR%\System32\diskshadow.exe Security Level: Disallowed
Step-by-step guide:
- Open the Group Policy Management Editor on a Domain Controller.
- Navigate to the path shown above.
- Create a new path rule. The path should be
%WINDIR%\System32\diskshadow.exe. - Set the security level to “Disallowed”. This will prevent any user or process from executing diskshadow.exe on machines that receive this policy.
- Apply this policy to all workstations and servers where this tool is not required for legitimate business functions.
7. Auditing for VSS Shadow Copies
Regularly audit your environment for existing shadow copies, which could be evidence of a past or ongoing attack.
vssadmin list shadows
Step-by-step guide:
- Run this command from an elevated Command Prompt.
- It will list all existing volume shadow copies on the system, showing their volume, shadow copy ID, and original volume.
- Investigate any unexpected persistent shadow copies, especially those not associated with known backup software. You can delete a suspicious shadow copy with
vssadmin delete shadows /Shadow={ID}.
What Undercode Say:
- LOLBins Are the New Normal: The use of diskshadow confirms a continuing trend where attackers heavily leverage Living-off-the-Land Binaries. Defenders must shift their focus from just hunting for malware executables to deeply understanding the command-line arguments and scripting behaviors of native OS tools.
- Context is King for Detection: As highlighted in the discussion, `diskshadow /s` generates hundreds of legitimate events in a typical MDR environment. Building a high-fidelity detection strategy requires correlating this activity with other signals, such as the subsequent access to the NTDS.dit file, network connections to suspicious IPs, or the execution of credential dumping tools.
The analysis reveals a critical challenge in modern security operations: the tools necessary for system administration are a double-edged sword. While blocking diskshadow outright may be feasible for some organizations, for others it is a required tool. Therefore, the defense-in-depth strategy cannot rely on a single detection. It requires a layered approach combining application control (to restrict the tool where possible), detailed process logging (to capture the command-line context), and behavioral analytics (to detect the entire attack chain from shadow copy creation to hash extraction). The “interesting” EDR test results mentioned likely point to a significant detection gap, underscoring the need for custom, context-aware hunting rules.
Prediction:
The abuse of diskshadow is a precursor to a broader wave of “identity-centric” attacks that leverage trusted system components. As EDRs improve at detecting Mimikatz and other popular tools, attackers will dive deeper into the Windows ecosystem, weaponizing even more obscure APIs and system binaries. Future attacks will likely automate this process, combining diskshadow with in-memory parsing of the NTDS.dit to avoid ever writing the file to disk, making detection even more difficult. This evolution will force a fundamental shift in defensive postures from a primary focus on malware detection to a comprehensive identity and access management strategy, where every access to credential material is heavily audited and privileged identities are fiercely protected.
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Stephan Berger – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
